This customer of OVH appears to be registered with fake details, and are distributing malware via a block at 178.33.217.64/28. Currently, the following IPs are distributing some sort of unidentified exploit kit:
178.33.217.64
178.33.217.70
178.33.217.71
178.33.217.78
178.33.217.79
A list of the domains associated with those IPs can be found here [pastebin].
OVH have allocated the IP range to this customer:
organisation: ORG-JR46-RIPE
org-name: Jason Reily
org-type: OTHER
address: 32 Oldfarm Road
address: GB21DB London
address: GB
e-mail: ourbills@evolution-host.com
abuse-mailbox: ourbills@evolution-host.com
phone: +353.8429143
mnt-ref: OVH-MNT
mnt-by: OVH-MNT
created: 2016-05-24T18:16:03Z
last-modified: 2016-05-24T18:16:03Z
source: RIPE
There is no such address in London, the postcode is obviously invalid and the telephone number appears to be an Irish mobile phone. Checking the evolution-host.com domain reveals something similar:
Registrant Name: OWEN PHILLIPSON
Registrant Organization: EVOLUTION HOST
Registrant Street: 24 OLDFARM ROAD
Registrant City: LONDON
Registrant State/Province: LONDON
Registrant Postal Code: SW19 3RQ
Registrant Country: GB
Registrant Phone: +353.851833708
Registrant Phone Ext:
Registrant Fax: +44.7479012225
Registrant Fax Ext:
Registrant Email: info@evolutionhost.co.uk
Registry Admin ID:
Again, an invalid address with a different street number from before and an Irish telephone number. We can look at evolutionhost.co.uk too..
Registrant:
Owen Phillipson
Registrant type:
UK Sole Trader
Registrant's address:
24 Oldfarm Road
London
London
SW19 3RQ
United Kingdom
Data validation:
Nominet was able to match the registrant's name and address against a 3rd party data
source on 09-Feb-2014
Obviously Nominet's validation process isn't worth rat shit. The Evolution Host website appears to have no contact details at all.
RIPE associates the tag ORG-JR46-RIPE with the following IP ranges, all rented from OVH. I suggest you block all of them:
91.134.220.108/30
92.222.208.240/28
149.202.98.244/30
176.31.223.164/30
178.33.217.64/28
UPDATE
A contact says that IP listed at the beginning of the post are the Neutrino Exploit Kit.
Tuesday, 20 September 2016
Evil network: 178.33.217.64/28 et al (evolution-host.com, customer of OVH)
Labels:
Evil Network,
France,
Neutrino,
OVH
Malware spam: "Tracking data" leads to Locky
This spam has a malicious attachment leading to Locky ransomware:
The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.
Analysis of the attachments is pending.
UPDATE
Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:
akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk
All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202
From: Loretta Gilmore
Date: 20 September 2016 at 08:31
Subject: Tracking data
Good afternoon [redacted],
Your item #9122164-201609 has been sent to you by carrier.
He will arrive to you on 23th of September, 2016 at noon.
The tracking data (4fec25a8429fd7485c56c9211151eb42d59b57abf402cc363bc635) is attached.
The sender's name and reference numbers vary. Attached is a randomly named .ZIP file containing a malicious .js script named in the format tracking data ~C503090F~.js (the hexadecimal number is random) plus a junk file with a single-letter name.
Analysis of the attachments is pending.
UPDATE
Hybrid Analysis of various samples [1] [2] [3] [4] shows the script downloading from various locations:
akinave.ru/ckk7y
solenapeak.com/ha4n2
vetchsoda.org/uemmdt
akinave.ru/1e11lhrk
All of these are hosted on:
178.212.131.10 (21 Century Telecom Ltd, Russia)
95.173.164.205 (Netinternet Bilisim Teknolojileri AS, Turkey)
The malware then phones home to the following locations:
91.223.88.205/data/info.php (Anton Malyi aka conturov.net, Ukraine)
176.103.56.105/data/info.php (Ivanov Vitaliy Sergeevich aka xserver.ua, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
195.64.154.202/data/info.php (Ukrainian Internet Names Center, Ukraine)
kixxutnpikppnslx.xyz/data/info.php [91.223.88.209] (Anton Malyi aka conturov.net, Ukraine)
A DLL is dropped with a detection rate of 13/57.
Recommended blocklist:
178.212.131.10
95.173.164.205
91.223.88.0/24
46.38.52.225
195.64.154.202
Monday, 19 September 2016
Malware spam: "Order: 28112610/00 - Your ref.: 89403" leads to Locky
This fake financial spam has a malicious attachment that leads to Locky ransomware.
I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm , my trusted source says that the various versions download a component from:
bernardchandran.com/67SELbosjc358
bobneal.net/67SELbosjc358
burgeoservise.ru/67SELbosjc358
dirkdj.nl/67SELbosjc358
emperesseconcierge.com/67SELbosjc358
extramileteam.com/67SELbosjc358
fernandoarias.org/67SELbosjc358
festivaldhamaka.com/67SELbosjc358
fungasoap.net/67SELbosjc358
grupoalana.com/67SELbosjc358
hellolanguage.com/67SELbosjc358
heritagebaptistchurch.ca/67SELbosjc358
hotelcelnice.cz/67SELbosjc358
judgedeborahshallcross.com/67SELbosjc358
kursustokoonline.net/67SELbosjc358
lomtalay.com/67SELbosjc358
ncmartec.org/67SELbosjc358
omeryilmaz.com/67SELbosjc358
puchipuchivirus.com/67SELbosjc358
sadek-music.com/67SELbosjc358
scanarchives.com/67SELbosjc358
seokonya.com/67SELbosjc358
techscape4.com/67SELbosjc358
thaihomecondo.com/67SELbosjc358
win88id.com/67SELbosjc358
zheng-du.com/67SELbosjc358
It drops a DLL which had a moderate detection rate earlier. This version of Locky does not communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358.
Subject: Order: 28112610/00 - Your ref.: 89403
From: Melba lochhead (SALES1@krheadshots.com)
Date: Monday, 19 September 2016, 16:05
Dear customer,
Thank you for your order.
Please find attached our order confirmation.
Should you be unable to open the links in the document, you can download the latest version of Adobe Acrobat Reader for free via the following link: http://www.adobe.com/products/acrobat/readstep2.html
Should you have any further questions, do not hesitate to contact me.
Kind Regards,
Melba lochhead
Internal Sales Advisor - Material Handling Equipment Parts & Accessories
SALES1@krheadshots.com
TVH UK LTD
UNIT 17 PARAGON WAY • GB-CV7 9QS EXHALL, COVENTRY
T 02476 585 000 • F 02476 585 001 • www.tvh-uk.co.uk
Watch our company movies on www.tvh.tv
Take our forklift and aerial work platform challenge!
Identify 10 brands by their machines. Be the fastest and win great prizes! Click on the image to start the quiz.
I have only seen a single sample so far, but I understand that reference numbers and names vary. Attached is a malicious .DOCM file with a name in the format OffOrd_87654321-00-1234567-654321.docm , my trusted source says that the various versions download a component from:
bernardchandran.com/67SELbosjc358
bobneal.net/67SELbosjc358
burgeoservise.ru/67SELbosjc358
dirkdj.nl/67SELbosjc358
emperesseconcierge.com/67SELbosjc358
extramileteam.com/67SELbosjc358
fernandoarias.org/67SELbosjc358
festivaldhamaka.com/67SELbosjc358
fungasoap.net/67SELbosjc358
grupoalana.com/67SELbosjc358
hellolanguage.com/67SELbosjc358
heritagebaptistchurch.ca/67SELbosjc358
hotelcelnice.cz/67SELbosjc358
judgedeborahshallcross.com/67SELbosjc358
kursustokoonline.net/67SELbosjc358
lomtalay.com/67SELbosjc358
ncmartec.org/67SELbosjc358
omeryilmaz.com/67SELbosjc358
puchipuchivirus.com/67SELbosjc358
sadek-music.com/67SELbosjc358
scanarchives.com/67SELbosjc358
seokonya.com/67SELbosjc358
techscape4.com/67SELbosjc358
thaihomecondo.com/67SELbosjc358
win88id.com/67SELbosjc358
zheng-du.com/67SELbosjc358
It drops a DLL which had a moderate detection rate earlier. This version of Locky does not communicate with C2 servers, so if you want to block or monitor traffic perhaps you should use the string 67SELbosjc358.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Malware spam: "Express Parcel service" leads to Locky
This spam has a malicious attachment:
The Hybrid Analysis for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54.
UPDATE
These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:
roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj
All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)
These domains are all related and should be considered malicious:
duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in
Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10
91.194.250.131
The last one listed in italics is part of the update.
From: Marla CampbellAttached is a randomly named ZIP file containing a malicious .js script in the format Express Parcel service ~0A1B2C~.js with a junk w file that seems to contain nothing.
Date: 19 September 2016 at 09:09
Subject: Express Parcel service
Dear [redacted], we have sent your parcel by Express Parcel service.
The attachment includes the date and time of the arrival and the lists of the items you ordered. Please check them.
Thank you.
The Hybrid Analysis for one sample shows a download location of:
178.212.131.10/z3zeg (21 Century Telecom Ltd, Russia)
There are probably others (I'll post them if I get them). The payload appears to be Locky ransomware, phoning home to:
195.64.154.202/data/info.php (Ukrainian Internet Names Center LTD, Ukraine)
46.38.52.225/data/info.php (TCTEL, Russia)
ajsrbomqrrlra.pw/info.php [91.223.88.209] (Private Person Anton Malyi aka conturov.net, Ukraine)
It drops a DLL with a detection rate of 8/54.
UPDATE
These Hybrid Analysis reports of other samples [1] [2] [3] [4] [5] show other download locations at:
roxieimshi.com/eppmn
roxieimshi.com/y4lf1neg
foveawaac.net/yjmaazj
foveawaac.net/wzwzjply
merofid.com/zn6mcj
All of these domains are hosted on evil IPs:
178.212.131.10 (21 Century Telecom Ltd, Russia)
91.194.250.131 (Evgeniy Zbarazhskiy aka TOV 'Dream Line Holding', Ukraine)
These domains are all related and should be considered malicious:
duelrid.com
merofid.com
pradran.com
adzebury.com
amrastacy.com
bulkreasy.com
sternhala.com
gobantakao.com
roxieimshi.com
tearyrecce.com
wyvesnarl.info
aborik.net
ecadxyst.net
maydayen.net
ponggirr.net
foveawaac.net
normadnex.net
pawlrubia.net
pradkevyn.net
satyrwelf.net
vernpucka.net
yerndrunk.net
latexuchee.net
maggycocoa.net
moismdheri.net
rokerlelia.net
sparmsov.org
citmowra.in
swagpaty.in
Recommended blocklist:
195.64.154.202
46.38.52.225
91.223.88.209
178.212.131.10
91.194.250.131
The last one listed in italics is part of the update.
Friday, 16 September 2016
Locky download locations 2016-09-16
I haven't had a chance to look at Locky today, but here are the current campaign download locations (thanks to my usual source)..
1express.com.sg/54JHbjgcDLG
24hourprintshop.com/54JHbjgcDLG
46709394.com/54JHbjgcDLG
adityastar.com/54JHbjgcDLG
akademistcicek.com/54JHbjgcDLG
all4supply.com/54JHbjgcDLG
apro88.com/54JHbjgcDLG
bsm.sk/54JHbjgcDLG
chelsea-west.com/54JHbjgcDLG
criar-meu-site.com/54JHbjgcDLG
curlysol.com/54JHbjgcDLG
demo.website.pl/54JHbjgcDLG
graveyardsofmilwaukee.org/54JHbjgcDLG
helpmybathroom.com/54JHbjgcDLG
hollystamps.com/54JHbjgcDLG
honeydavis.us/54JHbjgcDLG
inovsol.com/54JHbjgcDLG
islamiccollege.org/54JHbjgcDLG
jsydjc.com/54JHbjgcDLG
lv-nexis.com/54JHbjgcDLG
mclodesigns.com/54JHbjgcDLG
miamilimosina.com/54JHbjgcDLG
mudelts.com/54JHbjgcDLG
mytourbid.com/54JHbjgcDLG
paraspokeri.net/54JHbjgcDLG
psychquiz.com/54JHbjgcDLG
qarmoo.com/54JHbjgcDLG
rentvspb.ru/54JHbjgcDLG
sadeqmedia.com/54JHbjgcDLG
salemwitchcat.com/54JHbjgcDLG
samenart.com/54JHbjgcDLG
sds-india.org/54JHbjgcDLG
shopmjn.com/54JHbjgcDLG
sinergica.cl/54JHbjgcDLG
swivelsrus.com/54JHbjgcDLG
tobybender.com/54JHbjgcDLG
travelvoice.com/54JHbjgcDLG
urachart.com/54JHbjgcDLG
wordpresshosting.co.il/54JHbjgcDLG
xsolution.sk/54JHbjgcDLG
1natureresort.com/afdIJGY8766gyu
allovercoupon.com/afdIJGY8766gyu
bet4good.org/afdIJGY8766gyu
bigfishcasting.com/afdIJGY8766gyu
charlcote1.net/afdIJGY8766gyu
credit-it.com/afdIJGY8766gyu
delicefilm.com/afdIJGY8766gyu
dendang.net/afdIJGY8766gyu
discoverstillwater.com/afdIJGY8766gyu
eiti.co.il/afdIJGY8766gyu
electua.org/afdIJGY8766gyu
espaciosamadhi.com/afdIJGY8766gyu
fenwaycourier.com/afdIJGY8766gyu
gearstuff.net/afdIJGY8766gyu
hawaiipoliticalinfo.org/afdIJGY8766gyu
iandistudio.com/afdIJGY8766gyu
iassess.net/afdIJGY8766gyu
insideinsights.net/afdIJGY8766gyu
insieutoc.com/afdIJGY8766gyu
jxbestextile.com/afdIJGY8766gyu
keratin.sk/afdIJGY8766gyu
kf-design.com/afdIJGY8766gyu
lacumpa.biz/afdIJGY8766gyu
lowcostveterinarios.com/afdIJGY8766gyu
lullaby-babies.co.uk/afdIJGY8766gyu
lusanmaster.com/afdIJGY8766gyu
mika.tohmon.com/afdIJGY8766gyu
mumbomedia.nl/afdIJGY8766gyu
ocscexpo.net/afdIJGY8766gyu
oliveservicedapartments.com/afdIJGY8766gyu
onefilmy.com/afdIJGY8766gyu
pasbardejov.sk/afdIJGY8766gyu
rimpro.ru/afdIJGY8766gyu
salarypra1.net/afdIJGY8766gyu
sandpiperchorus.us/afdIJGY8766gyu
sapanboon.com/afdIJGY8766gyu
techboss.net/afdIJGY8766gyu
tommylam.com/afdIJGY8766gyu
trudprom.ru/afdIJGY8766gyu
zharikoff.ru/afdIJGY8766gyu
bulkreasy.com/7e5a7
bulkreasy.com/8tl3rmh
bulkreasy.com/905jscb
bulkreasy.com/c3vaho
bulkreasy.com/oqn8p
maggycocoa.net/8i00a
maggycocoa.net/i9uje
maggycocoa.net/uml71ij
maggycocoa.net/z8xl3w7q
maggycocoa.net/zi6mrx
yerndrunk.net/esab0
yerndrunk.net/ez5jqc0n
yerndrunk.net/nhddf4gt
yerndrunk.net/t43anq3
yerndrunk.net/yk5vx6i
The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are definitely worth blocking:
178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia)
1express.com.sg/54JHbjgcDLG
24hourprintshop.com/54JHbjgcDLG
46709394.com/54JHbjgcDLG
adityastar.com/54JHbjgcDLG
akademistcicek.com/54JHbjgcDLG
all4supply.com/54JHbjgcDLG
apro88.com/54JHbjgcDLG
bsm.sk/54JHbjgcDLG
chelsea-west.com/54JHbjgcDLG
criar-meu-site.com/54JHbjgcDLG
curlysol.com/54JHbjgcDLG
demo.website.pl/54JHbjgcDLG
graveyardsofmilwaukee.org/54JHbjgcDLG
helpmybathroom.com/54JHbjgcDLG
hollystamps.com/54JHbjgcDLG
honeydavis.us/54JHbjgcDLG
inovsol.com/54JHbjgcDLG
islamiccollege.org/54JHbjgcDLG
jsydjc.com/54JHbjgcDLG
lv-nexis.com/54JHbjgcDLG
mclodesigns.com/54JHbjgcDLG
miamilimosina.com/54JHbjgcDLG
mudelts.com/54JHbjgcDLG
mytourbid.com/54JHbjgcDLG
paraspokeri.net/54JHbjgcDLG
psychquiz.com/54JHbjgcDLG
qarmoo.com/54JHbjgcDLG
rentvspb.ru/54JHbjgcDLG
sadeqmedia.com/54JHbjgcDLG
salemwitchcat.com/54JHbjgcDLG
samenart.com/54JHbjgcDLG
sds-india.org/54JHbjgcDLG
shopmjn.com/54JHbjgcDLG
sinergica.cl/54JHbjgcDLG
swivelsrus.com/54JHbjgcDLG
tobybender.com/54JHbjgcDLG
travelvoice.com/54JHbjgcDLG
urachart.com/54JHbjgcDLG
wordpresshosting.co.il/54JHbjgcDLG
xsolution.sk/54JHbjgcDLG
1natureresort.com/afdIJGY8766gyu
allovercoupon.com/afdIJGY8766gyu
bet4good.org/afdIJGY8766gyu
bigfishcasting.com/afdIJGY8766gyu
charlcote1.net/afdIJGY8766gyu
credit-it.com/afdIJGY8766gyu
delicefilm.com/afdIJGY8766gyu
dendang.net/afdIJGY8766gyu
discoverstillwater.com/afdIJGY8766gyu
eiti.co.il/afdIJGY8766gyu
electua.org/afdIJGY8766gyu
espaciosamadhi.com/afdIJGY8766gyu
fenwaycourier.com/afdIJGY8766gyu
gearstuff.net/afdIJGY8766gyu
hawaiipoliticalinfo.org/afdIJGY8766gyu
iandistudio.com/afdIJGY8766gyu
iassess.net/afdIJGY8766gyu
insideinsights.net/afdIJGY8766gyu
insieutoc.com/afdIJGY8766gyu
jxbestextile.com/afdIJGY8766gyu
keratin.sk/afdIJGY8766gyu
kf-design.com/afdIJGY8766gyu
lacumpa.biz/afdIJGY8766gyu
lowcostveterinarios.com/afdIJGY8766gyu
lullaby-babies.co.uk/afdIJGY8766gyu
lusanmaster.com/afdIJGY8766gyu
mika.tohmon.com/afdIJGY8766gyu
mumbomedia.nl/afdIJGY8766gyu
ocscexpo.net/afdIJGY8766gyu
oliveservicedapartments.com/afdIJGY8766gyu
onefilmy.com/afdIJGY8766gyu
pasbardejov.sk/afdIJGY8766gyu
rimpro.ru/afdIJGY8766gyu
salarypra1.net/afdIJGY8766gyu
sandpiperchorus.us/afdIJGY8766gyu
sapanboon.com/afdIJGY8766gyu
techboss.net/afdIJGY8766gyu
tommylam.com/afdIJGY8766gyu
trudprom.ru/afdIJGY8766gyu
zharikoff.ru/afdIJGY8766gyu
bulkreasy.com/7e5a7
bulkreasy.com/8tl3rmh
bulkreasy.com/905jscb
bulkreasy.com/c3vaho
bulkreasy.com/oqn8p
maggycocoa.net/8i00a
maggycocoa.net/i9uje
maggycocoa.net/uml71ij
maggycocoa.net/z8xl3w7q
maggycocoa.net/zi6mrx
yerndrunk.net/esab0
yerndrunk.net/ez5jqc0n
yerndrunk.net/nhddf4gt
yerndrunk.net/t43anq3
yerndrunk.net/yk5vx6i
The first two lists are legitimate hacked sites, the last list are hosted on the following two IPs which are definitely worth blocking:
178.212.131.10 (21 Century Telecom Ltd, Russia)
37.200.70.6 (Selectel Ltd, Russia)
Inspiral Carpets hacked, leads to The Quantum Code binary options spam
This type of binary options scam spam comes in waves every so often:
It's not very interesting to tell the truth, but it relies on hacked WordPress sites in order to provide landing pages. Of course, hacking someone's site to do this is illegal and no legitimate business would promote itself like this.
What I noticed was the URL in the email..
cash-onlines.com [172.246.233.55] (Enzu, US)
There's a familiar landing page..
Clicking the link goes to www.the-quantumcode.com hosted on 31.220.0.35 (Terratransit, Netherlands). This is some bollocks about a binary options trading robot which will apparently make you millions. Obviously this is a scam, because if it was really that easy we'll all be doing it.
One little scammy trick is a counter to tell you that loads of people are looking at the site but there are only a small number of slots available.
The numbers are completely made up. If you look exactly the same page in another browser window, they are different.
It's hard to say if the spam was sent out by whoever runs the binary options site or an affiliate. But it's still crap either way.
Hosted on the same server are the following domains which are probably more of the same plus a load of other bollocks:
15kin15minutes.com
altronix-app.com
altronix-app.net
altronixapp.net
beautifulasians.net
beckdietsolution.biz
blogtipsntricks.net
channel78news.com
channel818news.com
channel988news.com
clickcashformula.com
clickcashformulareview.com
cloudcliks.com
crescendobot.com
deliciouslyella.net
fannetasticfood.net
fasttrackprofits.net
freeteethwhitenings.co
gopsusports.net
healthbeatblog.net
heartifb.biz
hgspanel.com
hostingtosuccess.com
instantcashmarket.com
ironmantips.co
jeffbullas.net
jmusportsblog.us
jonbarron.me
liedetectorreview.biz
liedetectorreview.com
liedetectorreviews.com
makeyourbodywork.net
michaelcrawfordclub.com
millnaire-blueprint.com
myliedetectorreview.com
newskincaretips.org
perpetualformula.com
russianhotties.co
smallbiztrends.us
snapcreativity.net
startofhappiness.biz
the-orioncode.com
the-orioncode.net
the-orioncode.org
the-quantumcode.co
the-quantumcode.com
themillblueprint.com
thequantum-code.com
thequantum-code.net
thequantum-code.org
thequantumcode.biz
thequantumcode.co
thequantumreview.com
thezerolossformula.biz
thezerolossformula.net
thezerolossformula.org
upgradeforbonus.com
zerolossformula.biz
zerolossformula.net
zlformula.net
Avoid.
Subject: Welcoming speech
From: jeffriesvx@mail2nancy.com
Date: Friday, 16 September 2016, 3:31
Good day!
We are looking for employees working remotely.
My name is Glen, I am the personnel manager of a large International company.
Most of the work you can do from home, that is, at a distance.
Salary is $2600-$5500.
If you are interested in this offer, please visit Our Site
Good day!
It's not very interesting to tell the truth, but it relies on hacked WordPress sites in order to provide landing pages. Of course, hacking someone's site to do this is illegal and no legitimate business would promote itself like this.
What I noticed was the URL in the email..
inspiralcarpets.com/super/wp-content/themes/twentyfifteen/genericons/Inspiral Carpets? Yup, that's the website of the Manchester rock band of the same name. Rather than a carpet shop. As this URLquery report shows, it lands on..
cash-onlines.com [172.246.233.55] (Enzu, US)
There's a familiar landing page..
Clicking the link goes to www.the-quantumcode.com hosted on 31.220.0.35 (Terratransit, Netherlands). This is some bollocks about a binary options trading robot which will apparently make you millions. Obviously this is a scam, because if it was really that easy we'll all be doing it.
One little scammy trick is a counter to tell you that loads of people are looking at the site but there are only a small number of slots available.
The numbers are completely made up. If you look exactly the same page in another browser window, they are different.
It's hard to say if the spam was sent out by whoever runs the binary options site or an affiliate. But it's still crap either way.
Hosted on the same server are the following domains which are probably more of the same plus a load of other bollocks:
15kin15minutes.com
altronix-app.com
altronix-app.net
altronixapp.net
beautifulasians.net
beckdietsolution.biz
blogtipsntricks.net
channel78news.com
channel818news.com
channel988news.com
clickcashformula.com
clickcashformulareview.com
cloudcliks.com
crescendobot.com
deliciouslyella.net
fannetasticfood.net
fasttrackprofits.net
freeteethwhitenings.co
gopsusports.net
healthbeatblog.net
heartifb.biz
hgspanel.com
hostingtosuccess.com
instantcashmarket.com
ironmantips.co
jeffbullas.net
jmusportsblog.us
jonbarron.me
liedetectorreview.biz
liedetectorreview.com
liedetectorreviews.com
makeyourbodywork.net
michaelcrawfordclub.com
millnaire-blueprint.com
myliedetectorreview.com
newskincaretips.org
perpetualformula.com
russianhotties.co
smallbiztrends.us
snapcreativity.net
startofhappiness.biz
the-orioncode.com
the-orioncode.net
the-orioncode.org
the-quantumcode.co
the-quantumcode.com
themillblueprint.com
thequantum-code.com
thequantum-code.net
thequantum-code.org
thequantumcode.biz
thequantumcode.co
thequantumreview.com
thezerolossformula.biz
thezerolossformula.net
thezerolossformula.org
upgradeforbonus.com
zerolossformula.biz
zerolossformula.net
zlformula.net
Avoid.
Labels:
Finance Scams,
Scams,
Spam
Malicious domains to block 2016-09-16
These domains are part of a cluster, some of with are serving the EITEST RIG exploit kit (similar to that described here). They all share nameservers running on 62.75.167.186 and 62.75.167.187.
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
pronetanaliz.info
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
outsecurety.pw
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
bwl2rola3cpm.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
businessprofessionalzgroup.com
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
siteanalytics.pro
pronetanaliz.info
The EK domains are running on a botnet (those are listed in italics). The other domains seem to serve some other sort of nastiness. Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:
62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190
This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs. These IPs are allocated to:
person: Vasiliy Buyanov
address: Tereshkovoy 37
address:
address: 664000 Irkutsk
address: Russia
phone: +7 901 6508840
e-mail: admin@realhosters.com
nic-hdl: VB5472-RIPE
remarks: 5408042
abuse-mailbox: admin@realhosters.com
mnt-by: BSB-SERVICE-MNT
created: 2015-10-07T08:35:50Z
last-modified: 2015-10-07T08:35:50Z
source: RIPE
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
pronetanaliz.info
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
outsecurety.pw
kisliy.com
tatar28.com
netvoyne.com
susana24.com
tigkolor.com
wartan24.com
kitoboyka.com
koktail24.com
salagriva.com
konektyfor.com
shophodoki.com
livefreedns.com
liveskansys.com
longzonenet.com
vestostnord.com
2f8d2n456f0x.com
bwl2rola3cpm.com
freensservic.com
nshun89qvgxa.com
tujkh6ncxqzc.com
wtyr0lu7cxm3.com
blizorsysdate.com
shopslovyanka.com
prowebanalityc.com
roginozsecurnet.com
adobesecurupdate.com
linksbacksreport.com
websecuranalitic.com
adobe-flesh-update.com
adobe-secur-update.com
microsoft-securety.com
securetypostanalityc.com
businessprofessionalzgroup.com
1i3w9az49av0.net
345uzwpqnohu.net
4lmbkpqrklqv.net
705qvchqrk5e.net
8d6fw1i3ot67.net
f4tir0dqb01u.net
fg1238tq38le.net
no1q349azgpm.net
o92rgx6r456b.net
pev09m38laj4.net
ty78lizc9ung.net
yrwlejglq3wl.net
aligosecurety.net
3wdev4pqfw1u.org
j8le7s5q745e.org
o9aj8xa34xaf.org
v8p2zw96vg5e.org
siteanalytics.pro
pronetanaliz.info
The EK domains are running on a botnet (those are listed in italics). The other domains seem to serve some other sort of nastiness. Those IPs form part of a range rented from Host Europe Group consisting of the following IPs:
62.75.167.186
62.75.167.187
62.75.167.188
62.75.167.189
62.75.167.190
This is roughly analogous to 62.75.167.184/29 which might be worth blocking, but note that won't stop IP traffic to the EK domains which are on different IPs. These IPs are allocated to:
person: Vasiliy Buyanov
address: Tereshkovoy 37
address:
address: 664000 Irkutsk
address: Russia
phone: +7 901 6508840
e-mail: admin@realhosters.com
nic-hdl: VB5472-RIPE
remarks: 5408042
abuse-mailbox: admin@realhosters.com
mnt-by: BSB-SERVICE-MNT
created: 2015-10-07T08:35:50Z
last-modified: 2015-10-07T08:35:50Z
source: RIPE
Labels:
Evil Network,
Malware,
Russia,
Viruses
Tuesday, 13 September 2016
Malware spam: "Attached is the tax invoice of your company. Please do the payment in an urgent manner." leads to Locky
This fake financial spam leads to Locky ransomware:
adzebur.com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
[78.212.131.10] (21 Century Telecom Ltd, Russia)
[31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
[23.95.106.223] (New Wave Netconnect, US)
[23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]
The payload then phones home to:
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php
Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71
UPDATE: further analysis gives these other IPs to block..
78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116
Subject: Tax invoiceThe name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .wsf with a name beginning with "tax_invoice_scan PDF". According to my trusted source (thank you!) the various scripts download a component from one of the following locations:
From: Kris Allison (Allison.5326@resorts.com.mx)
Date: Tuesday, 13 September 2016, 11:22
Dear Client,
Attached is the tax invoice of your company. Please do the payment in an urgent manner.
Best regards,
Kris Allison
adzebur.com/dsd7gk [37.200.70.6] (Selectel Ltd, Russia)
duelrid.com/b9m1t [37.200.70.6] (Selectel Ltd, Russia)
[78.212.131.10] (21 Century Telecom Ltd, Russia)
[31.210.120.153] (Sayfa Net, Turkey)
madaen.net/e3ib4f [143.95.252.28] (Athenix Inc, US)
morningaamu.com/6wdivzv [192.3.7.44] (Virtual Machine Solutions LLC, US)
[23.95.106.223] (New Wave Netconnect, US)
[23.249.164.116] (Net3 Inc, US)
smilehm.com/f72gngb [not resolving]
The payload then phones home to:
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
51.255.105.2/data/info.php (New Wind Stanislav, Montenegro / OVH, France)
185.154.15.150/data/info.php (Denis Dunaevskiy, Ukraine / Zomro, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
95.85.29.208/data/info.php (Digital Ocean, Netherlands)
yofkhfskdyiqo.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
khpnqbggoexgbyypy.pw/data/info.php [217.187.13.71] (O2 / Telefonica, Germany)
nbrqrwyjbwcludpjj.click/data/info.php
atjefykfsk.su/data/info.php
dsvuclpoxbqmkdk.xyz/data/info.php
bidmvvhwy.pl/data/info.php
gfhstncbxtjeyhvad.work/data/info.php
iyvrkkrpk.biz/data/info.php
awqgqseghmwgulmyl.su/data/info.php
hioknruwp.ru/data/info.php
cucwonardfib.xyz/data/info.php
vwcwpoksnfk.su/data/info.php
Recommended blocklist:
37.200.70.6
91.214.71.101
51.255.105.0/28
185.154.15.150
46.173.214.95
95.85.29.208
217.187.13.71
UPDATE: further analysis gives these other IPs to block..
78.212.131.10
31.210.120.153
192.3.7.44
23.95.106.128/25
23.249.164.116
Labels:
France,
Locky,
Malware,
Montenegro,
Netherlands,
OVH,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses
Monday, 12 September 2016
Malware spam: "Budget report" leads to Locky (and also evil network on 23.95.106.128/25)
This fake financial spam leads to Locky ransomware:
921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js
The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:
lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc
These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.
A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:
51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
Incidentally, the registrant information on the bad domains is also very familiar:
Registry Registrant ID:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Registry Admin ID:
Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101
UPDATE - 2016/06/13
A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.
From: Lauri GibbsAttached is a randomly-named ZIP file which in sample I saw contained two identical malicious scripts:
Date: 12 September 2016 at 15:11
Subject: Budget report
Hi [redacted],
I have partially finished the last month's budget report you asked me to do. Please add miscellaneous expenses in the budget.
With many thanks,
Lauri Gibbs
921FA0B8 Budget_report_xls - 1.js
921FA0B8 Budget_report_xls.js
The scripts are highly obfuscated however the Hybrid Analysis and Malwr report show that it downloads a component from:
lookbookinghotels.ws/a9sgrrak
trybttr.ws/h71qizc
These are hosted on a New Wave Netconnect IP at 23.95.106.223. This forms part of a block 23.95.106.128/25 which also contained Locky download locations at two other locations [1] [2] which rather makes me think that the whole range should be blocked.
A DLL is dropped with a detection rate of about 8/57 [3] [4] which appears to phone home to:
51.255.105.2/data/info.php (New wind Stanislav, Montenegro / OVH / France)
185.154.15.150/data/info.php [hostname: tyte.ru] (Dunaevskiy Denis Leonidovich, Russia / Zomro, Netherlands)
95.85.29.208/data/info.php [hostname: ilia909.myeasy.ru] (Digital Ocean, Netherlands)
46.173.214.95/data/info.php (Garant-Park-Internet Ltd, Russia)
91.214.71.101/data/info.php (ArtPlanet LLC, Russia)
Incidentally, the registrant information on the bad domains is also very familiar:
Registry Registrant ID:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Registry Admin ID:
Recommended minimum blocklist:
23.95.106.128/25
51.255.105.2
185.154.15.150
95.85.29.208
46.173.214.95
91.214.71.101
UPDATE - 2016/06/13
A list of the sites currently hosted on 23.95.106.128/25 and their SURBL ratings can be found here.
Labels:
France,
Locky,
Malware,
Montenegro,
Netherlands,
OVH,
Ransomware,
Russia,
Spam,
Viruses
Friday, 9 September 2016
Malware spam: "Order Confirmation xxxxx" leads to Locky
This fake financial spam leads to malware:
Contained within the ZIP file is a malicious .HTA script with a random name (example). This simply appears to be an encapsulated Javascript.
Analysis is pending, my trusted source (thank you) says that the various scripts download from one of the following locations:
adasurgical.com/7832ghd
agileprojects.ro/7832ghd
anatoliamaket.com/7832ghd
annurmaheshphotography.in/7832ghd
aycilinsaat.com/7832ghd
biogreentech.in/7832ghd
cardimax.com.ph/7832ghd
citycollection.com.tr/7832ghd
craskart.com/7832ghd
dashingleather.com/7832ghd
doctortools.eu/7832ghd
factumtech.com/7832ghd
flexfitent.com/7832ghd
goldenladywedding.com/7832ghd
iandiinternational.com/7832ghd
jmetalloysllp.com/7832ghd
linosys.info/7832ghd
marathazhunj.com/7832ghd
micaraland.com/7832ghd
moko-2.wptemplate.net/7832ghd
mylespollard.com.au/7832ghd
onlinepurohit.com/7832ghd
perfectfixuae.com/7832ghd
platformarchitects.com.au/7832ghd
rapiderbariyer.com/7832ghd
safiazsports.com/7832ghd
shagunproperty.com/7832ghd
sowhatresearch.com.au/7832ghd
stylecode.co.in/7832ghd
tipsforall.in/7832ghd
tscbearings.in/7832ghd
Ungelie.com/7832ghd
utsavi.net/7832ghd
walkerandhall.co.uk/7832ghd
webdesignselite.com/7832ghd
webnox.in/7832ghd
www.alfajerdecor.com/7832ghd
www.jmetalloysllp.com/7832ghd
www.mehrabtech.ae/7832ghd
www.pstimes.com/7832ghd
www.thegurukulians.com/7832ghd
yesiloglugrup.com/7832ghd
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload is Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a but I do not have a sample yet.
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above or monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis of one of the scripts does not add much except to confirm that this is ransomware.
From: Ignacio le neveThe name of the sender and the reference number will vary. Attached is a file named consistently with the reference (e.g. Ord355050211.zip) but an error in the MIME formatting means that this may save with a .dzip ending instead of .zip.
Date: 9 September 2016 at 10:31
Subject: Order Confirmation 355050211
--
This message is intended only for the individual or entity to which it is
addressed and may contain information that is private and confidential. If
you are not the intended recipient, you are hereby notified that any
dissemination, distribution or copying of this communication and its
attachments is strictly prohibited.
Contained within the ZIP file is a malicious .HTA script with a random name (example). This simply appears to be an encapsulated Javascript.
Analysis is pending, my trusted source (thank you) says that the various scripts download from one of the following locations:
adasurgical.com/7832ghd
agileprojects.ro/7832ghd
anatoliamaket.com/7832ghd
annurmaheshphotography.in/7832ghd
aycilinsaat.com/7832ghd
biogreentech.in/7832ghd
cardimax.com.ph/7832ghd
citycollection.com.tr/7832ghd
craskart.com/7832ghd
dashingleather.com/7832ghd
doctortools.eu/7832ghd
factumtech.com/7832ghd
flexfitent.com/7832ghd
goldenladywedding.com/7832ghd
iandiinternational.com/7832ghd
jmetalloysllp.com/7832ghd
linosys.info/7832ghd
marathazhunj.com/7832ghd
micaraland.com/7832ghd
moko-2.wptemplate.net/7832ghd
mylespollard.com.au/7832ghd
onlinepurohit.com/7832ghd
perfectfixuae.com/7832ghd
platformarchitects.com.au/7832ghd
rapiderbariyer.com/7832ghd
safiazsports.com/7832ghd
shagunproperty.com/7832ghd
sowhatresearch.com.au/7832ghd
stylecode.co.in/7832ghd
tipsforall.in/7832ghd
tscbearings.in/7832ghd
Ungelie.com/7832ghd
utsavi.net/7832ghd
walkerandhall.co.uk/7832ghd
webdesignselite.com/7832ghd
webnox.in/7832ghd
www.alfajerdecor.com/7832ghd
www.jmetalloysllp.com/7832ghd
www.mehrabtech.ae/7832ghd
www.pstimes.com/7832ghd
www.thegurukulians.com/7832ghd
yesiloglugrup.com/7832ghd
The URL is appended with a randomised query string (e.g. ?abcdEfgh=ZYXwvu). The payload is Locky ransomware has an MD5 of 5db5fc57ee4ad0e603f96cd9b7ef048a but I do not have a sample yet.
This version of Locky does not use C2s, so if you want to block traffic then I recommend using the list above or monitoring/blocking access attempts with 7832ghd in the string.
UPDATE: The Hybrid Analysis of one of the scripts does not add much except to confirm that this is ransomware.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Thursday, 8 September 2016
Malware spam: "[Vigor2820 Series] New voice mail message from xxxxx"
This spam appears to come from within the victim's own domain, it has a malicious attachment. The telephone number referred to will vary.
158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman.web.fc2.com/g76gyui
dcqoutlet.es/g76gyui
dpskaunas.puslapiai.lt/g76gyui
fidelitas.heimat.eu/g76gyui
gam-e20.it/g76gyui
ghost-tony.com.es/g76gyui
josemedina.com/g76gyui
kreativmanagement.homepage.t-online.de/g76gyui
olivier.coroenne.perso.sfr.fr/g76gyui
portadeenrolar.ind.br/g76gyui
sitio655.vtrbandaancha.net/g76gyui
sp-moto.ru/g76gyui
srxrun.nobody.jp/g76gyui
thb-berlin.homepage.t-online.de/g76gyui
tst-technik.de/g76gyui
unimet.tmhandel.com/g76gyui
www.agridiving.net/g76gyui
www.alanmorgan.plus.com/g76gyui
www.aldesco.it/g76gyui
www.alpstaxi.co.jp/g76gyui
www.association-julescatoire.fr/g76gyui
www.bytove.jadro.szm.com/g76gyui
www.ccnprodusenaturiste.home.ro/g76gyui
www.gebrvanorsouw.nl/g76gyui
www.gengokk.co.jp/g76gyui
www.hung-guan.com.tw/g76gyui
www.idiomestarradellas.com/g76gyui
www.laribalta.org/g76gyui
www.mikeg7hen.talktalk.net/g76gyui
www.one-clap.jp/g76gyui
www.radicegioielli.com/g76gyui
www.rioual.com/g76gyui
www.spiritueelcentrumaum.net/g76gyui
www.texelvakantiehuisje.nl/g76gyui
www.threshold-online.co.uk/g76gyui
www.whitakerpd.co.uk/g76gyui
www.xolod-teplo.ru/g76gyui
Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu)
Unusually, this version of Locky does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above or you could monitor for the string g76gyui in your logs.
UPDATE: the Hybrid Analysis of the script can be found here.
Subject: [Vigor2820 Series] New voice mail message from 01427087154 on 2016/09/08 15:14:54Attached is a ZIP file with a name in the format Message_from_01427087154.wav.zip which contains a randomly-named and malicious .wsf script. My trusted source (thank you) says that the various versions of the script download from one of the following locations:
From: voicemail@victimdomain.tld (voicemail@victimdomain.tld)
To: webmaster@victimdomain.tld;
Date: Thursday, 8 September 2016, 13:15
Dear webmaster :
There is a message for you from 01427087154, on 2016/09/08 15:14:54 .
You might want to check it when you get a chance.Thanks!
158.195.68.10/g76gyui
209.41.183.242/g76gyui
dashman.web.fc2.com/g76gyui
dcqoutlet.es/g76gyui
dpskaunas.puslapiai.lt/g76gyui
fidelitas.heimat.eu/g76gyui
gam-e20.it/g76gyui
ghost-tony.com.es/g76gyui
josemedina.com/g76gyui
kreativmanagement.homepage.t-online.de/g76gyui
olivier.coroenne.perso.sfr.fr/g76gyui
portadeenrolar.ind.br/g76gyui
sitio655.vtrbandaancha.net/g76gyui
sp-moto.ru/g76gyui
srxrun.nobody.jp/g76gyui
thb-berlin.homepage.t-online.de/g76gyui
tst-technik.de/g76gyui
unimet.tmhandel.com/g76gyui
www.agridiving.net/g76gyui
www.alanmorgan.plus.com/g76gyui
www.aldesco.it/g76gyui
www.alpstaxi.co.jp/g76gyui
www.association-julescatoire.fr/g76gyui
www.bytove.jadro.szm.com/g76gyui
www.ccnprodusenaturiste.home.ro/g76gyui
www.gebrvanorsouw.nl/g76gyui
www.gengokk.co.jp/g76gyui
www.hung-guan.com.tw/g76gyui
www.idiomestarradellas.com/g76gyui
www.laribalta.org/g76gyui
www.mikeg7hen.talktalk.net/g76gyui
www.one-clap.jp/g76gyui
www.radicegioielli.com/g76gyui
www.rioual.com/g76gyui
www.spiritueelcentrumaum.net/g76gyui
www.texelvakantiehuisje.nl/g76gyui
www.threshold-online.co.uk/g76gyui
www.whitakerpd.co.uk/g76gyui
www.xolod-teplo.ru/g76gyui
Each URL has a random query string appended (e.g. ?abcdEfgh=ZYXwvu)
Unusually, this version of Locky does not seem to have C2 servers so blocking it will involve blocking all the URLs listed above or you could monitor for the string g76gyui in your logs.
UPDATE: the Hybrid Analysis of the script can be found here.
Labels:
Locky,
Malware,
Ransomware,
Spam,
Viruses
Wednesday, 7 September 2016
Malware spam: "Agreement form" leads to Locky
This fake financial spam leads to malware:
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:
donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws 51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang 51.255.227.230 (OVH, France / Kitdos)
The registration details for all those domains are the same:
Registry Registrant ID:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Registry Admin ID:
These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:
23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name
Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name
UPDATE
My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php
In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
Subject: Agreement formThe name of the sender will vary. Attached is a ZIP file named with a random hexadecimal sequence, containing a malicious .JS script ending with agreement_form_doc.js and in the sample I saw there was also a duplicate..
From: Marlin Gibson
Date: Wednesday, 7 September 2016, 9:35
Hi there,
Roberta assigned you to make the payment agreement for the new coming employees.
Here is the agreement form. Please finish it urgently.
Best Regards,
Marlin Gibson
Support Manager
308F92BC agreement_form_doc - 1.js
308F92BC agreement_form_doc.js
Automated analysis [1] [2] shows that the scripts [partly deobfuscated example] attempt to download a binary from one of the following locations:
donttouchmybaseline.ws/ecf2k1o
canonsupervideo4k.ws/afeb6
malwinstall.wang/fsdglygf
listofbuyersus.co.in/epzugs
Of those locations, only the first three resolve, as follows:
donttouchmybaseline.ws 216.244.68.195 (Wowrack, US)
canonsupervideo4k.ws 51.255.227.230 (OVH, France / Kitdos)
malwinstall.wang 51.255.227.230 (OVH, France / Kitdos)
The registration details for all those domains are the same:
Registry Registrant ID:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Registry Admin ID:
These are the same details as found here. We know from that incident that the download locations are actually spread around a bit:
23.95.106.206 (New Wave NetConnect, US)
51.255.227.230 (OVH, France / Kitdos)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
216.244.68.195 (Wowrack, US)
217.13.103.48 (1B Holding ZRT, Hungary)
The following also presumably evil sites are also hosted on those IPs:
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name
Currently I am unable to work out the C2 locations for the malware, which is probably Locky ransomware. In the meantime, I recommend you block:
51.255.227.228/30
23.95.106.206
107.173.176.4
192.3.7.198
216.244.68.195
217.13.103.48
bookinghotworld.ws
clubofmalw.ws
darkestzone2.wang
donttouchmybaseline.ws
canonsupervideo4k.ws
malwinstall.wang
wangmewang.name
tradesmartcoin.xyz
virmalw.name
UPDATE
My trusted source (thank you) says that it phones home to the following IPs and URLs:
91.211.119.71/data/info.php (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Dunaevskiy Denis Leonidovich aka Zomro, Ukraine)
gsejeeshdkraota.org/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
sraqpmg.work/data/info.php
balichpjuamrd.work/data/info.php
mvvdhnix.biz/data/info.php [69.195.129.70] (Joes Datacenter, US)
kifksti.work/data/info.php
iruglwxkasnrcq.pl/data/info.php
xketxpqxj.work/data/info.php
qkmecehteogblx.su/data/info.php
bbskrcwndcyow.su/data/info.php
nqjacfrdpkiyuen.ru/data/info.php
ucjpevjjl.work/data/info.php
nyxgjdcm.info/data/info.php
In addition to the IPs listed above, I also recommend blocking:
69.195.129.70
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
Monday, 5 September 2016
Malware spam: "We are sending you the credit card receipt from yesterday. Please match the card number and amount."
This fake financial spam has a malicious attachment:
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k.ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)
Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
From: Tamika GoodThe spam will appear to come from different senders. Attached is a ZIP file with a random hexadecimal name, in turn containing a malicious .js script starting with the string credit_card_receipt_
Date: 5 September 2016 at 08:43
Subject: Credit card receipt
Dear [redacted],
We are sending you the credit card receipt from yesterday. Please match the card number and amount.
Sincerely yours,
Tamika Good
Account manager
A Malwr analysis of three samples [1] [2] [3] shows each one downloading a component from:
canonsupervideo4k.ws/1bcpr7xx
This appears to be multihomed on the following IP addresses:
23.95.106.206 (New Wave NetConnect, US)
107.173.176.4 (Virtual Machine Solutions LLC, US)
192.3.7.198 [hostname: ns2.3arab.net] (Hudson Valley Host, US)
217.13.103.48 (1B Holding ZRT, Hungary)
Of interest, the WHOIS details have been seen before in relation to Locky. They are probably fake:
Registrant Name: Dudenkov Denis
Registrant Organization: Eranet International Limited
Registrant Street: Lenina 18 Lenina 18
Registrant City: Vladivostok
Registrant State/Province: RU
Registrant Postal Code: 690109
Registrant Country: RU
Registrant Phone: 85222190860
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: volosovik@inbox.ru
Those reports indicate that a malicious DLL is dropped with a detection rate of 9/57. These Hybrid Analysis reports [4] [5] [6] show the malware phoning home to:
91.211.119.71/data/info.php [hostname: data.ru.com] (Zharkov Mukola Mukolayovuch aka 0x2a, Ukraine)
158.255.6.109/data/info.php (Mir Telematiki, Russia)
185.154.15.150/data/info.php (Denis Leonidovich Dunaevskiy, Ukraine)
185.162.8.101/data/info.php (Eurohoster, Netherlands)
uxfpwxxoyxt.pw/data/info.php [188.120.232.55] (TheFirst-RU, Russia)
The payload is probably Locky ransomware.
Recommended blocklist:
23.95.106.206
107.173.176.4
192.3.7.198
217.13.103.48
91.211.119.71
158.255.6.109
185.154.15.150
185.162.8.101
188.120.232.55
Labels:
Hungary,
Locky,
Malware,
Netherlands,
Russia,
Spam,
TheFirst-RU,
Ukraine,
Viruses
Friday, 2 September 2016
Malware spam: "old office facilities" leads to Locky
This spam has a malicious attachment:
Analysis is pending, but this Malwr report indicates attempted communications to:
malwinstall.wang
sopranolady7.wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1
According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28
The name of the sender will vary. Attached is a ZIP file with a random hexadecimal number, containing a malicious .js script beginning with office_facilities_ plus another random hexadecimal number.
Subject: old office facilities
From: Kimberly Snow (Snow.741@niqueladosbestreu.com)
Date: Friday, 2 September 2016, 8:55
Hi Corina,
Attached is the list of old office facilities that need to be replaced. Please copy the list into the purchase order form.
Best wishes,
Kimberly Snow
Analysis is pending, but this Malwr report indicates attempted communications to:
malwinstall.wang
sopranolady7.wang
..both apparently hosted on 66.85.27.250 (Crowncloud, US). Those domain names are consistent with this being Locky ransomware.
UPDATE 1
According to this Malwr report it drops a DLL with a detection rate of 10/58. Also those mysterious .wang domains appear to be multihomed on the following IPs:
23.95.106.195 (New Wave NetConnect, US)
45.59.114.100 [hostname: support01.cf] (Servercrate aka CubeMotion LLC, US)
66.85.27.250 (Crowncloud, US)
104.36.80.104 ("Kevin Kevin" / Servercrate aka CubeMotion LLC, US)
107.161.158.122 (Net3, US)
158.69.147.88 (OVH, Canada)
192.99.111.28 (OVH, Canada)
Recommended blocklist:
23.95.106.195
45.59.114.100
66.85.27.250
104.36.80.104
107.161.158.122
158.69.147.88
192.99.111.28
Labels:
Locky,
Malware,
Ransomware,
Viruses
Malware spam: "Scanned image from MX2310U@victimdomain.tld" leads to Locky
This fake document scan appears to come from within the victim's own domain, but this is just a simple forgery. Attached is a malicious Word document.
Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:
body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj
The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108
Subject: Scanned image from MX2310U@victimdomain.tld
From: office@victimdomain.tld (office@victimdomain.tld)
To: webmaster@victimdomain.tld;
Date: Friday, 2 September 2016, 2:29
Reply to: office@victimdomain.tld [office@victimdomain.tld]
Device Name: MX2310U@victimdomain.tld
Device Model: MX-2310U
Location: Reception
File Format: PDF MMR(G4)
Resolution: 200dpi x 200dpi
Attached file is scanned image in PDF format.
Use Acrobat(R)Reader(R) or Adobe(R)Reader(R) of Adobe Systems Incorporated to view the document.
Adobe(R)Reader(R) can be downloaded from the following URL:
Adobe, the Adobe logo, Acrobat, the Adobe PDF logo, and Reader are registered trademarks or trademarks of Adobe Systems Incorporated in the United States and other countries.
http://www.adobe.com/
Attached is a .DOCM file with a filename consisting of the recipients's email address, date and a random element. There are various different scripts which according to my source (thank you!) download a component from on of the following locations:
body-fitness.net/lagmslh
bushman-rest.com/aoeueyk
capannoneinliguria.com/lijrnub
foerschl.gmxhome.de/emyomqa
imakarademo.web.fc2.com/akwhorc
inge28.mytactis.com/cqmoxef
pennylanecupcakes.com.au/mhkqxia
rabbitfood.web.fc2.com/ixvnfyj
sakon118.web.fc2.com/srmrsgf
sebangou8.xxxxxxxx.jp/kfkdpvl
sojasaude.com.br/ahtoijg
sp-moto.ru/vodusim
t-schoener.de/mdexigc
www.bytove.jadro.szm.com/dgsqens
www.callisto.cba.pl/oqmfnar
www.ccnprodusenaturiste.home.ro/hiogthu
www.coropeppinumereu.it/xyhhytf
www.one-clap.jp/pourpjr
www.parrucchieriagiacomo.com/dekjxus
www.radicegioielli.com/aayfixd
www.sieas.com/mkndcbn
www.spiritueelcentrumaum.net/ksqoyps
www.vanetti.it/inywdjo
www.whitakerpd.co.uk/ymmcguk
www.xolod-teplo.ru/ygpwfty
yggithuq.utawebhost.at/getatoj
The payload is Locky ransomware, phoning home to:
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
149.154.152.108/data/info.php [hostname: 407.AT.multiservers.xyz] (EDIS, Austria)
Recommended blocklist:
212.109.192.235
149.154.152.108
Labels:
Austria,
DOC,
Locky,
Ransomware,
Russia
Thursday, 1 September 2016
Malware spam: "Please find attached invoice no" leads to Locky
This spam has a malicious attachment. It appears to come from the sender themselves, but this is just a trivial forgery.
158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g
The payload appears to be Locky ransomware. It phones home to:
188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php
This is similar to the list here.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24
Subject: Please find attached invoice no: 329218Attached is a ZIP file containing a malicious .wsf script. According to my usual source (thank you!) the scripts download from one of the following locations:
From: victim@victimdomain.tld
To: victim@victimdomain.tld
Date: Thursday, 1 September 2016, 12:42
Attached is a Print Manager form.
Format = Portable Document Format File (PDF)
________________________________
Disclaimer
This email/fax transmission is confidential and intended solely for the person or organisation to whom it is addressed. If you are not the intended recipient, you must not copy, distribute or disseminate the information, or take any action in reliance of it. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of any organisation or employer. If you have received this message in error, do not open any attachment but please notify the sender (above) deleting this message from your system. For email transmissions please rely on your own virus check no responsibility is taken by the sender for any damage rising out of any bug or virus infection.
158.195.68.10/87hcrn33g
branchjp.web.fc2.com/87hcrn33g
chal4.co.uk/87hcrn33g
dashman.web.fc2.com/87hcrn33g
dcqoutlet.es/87hcrn33g
forum.sandalcraft.cba.pl/87hcrn33g
hotcarshhhs6632.com/js/87hcrn33g
hotelimperium.go.ro/87hcrn33g
imperium.nazory.cz/87hcrn33g
kawasima0506.web.fc2.com/87hcrn33g
kissfm.rdsor.ro/87hcrn33g
ksiega.solidworks.cba.pl/87hcrn33g
nevrincea.50webs.com/87hcrn33g
olivier.coroenne.perso.sfr.fr/87hcrn33g
postaldigitalrs.com.br/87hcrn33g
pp4_09_10_2s.republika.pl/87hcrn33g
reklamnibannery.wz.cz/87hcrn33g
rhanwid.com/87hcrn33g
sac360.web.fc2.com/87hcrn33g
school3.50webs.com/87hcrn33g
srxrun.nobody.jp/87hcrn33g
szkolagrojec.republika.pl/87hcrn33g
wccf.huuryuu.com/87hcrn33g
www.agridiving.net/87hcrn33g
www.archiviestoria.it/87hcrn33g
www.cmg-ingegneria.it/87hcrn33g
www.coseincredibili.it/87hcrn33g
www.courtesyweb.it/87hcrn33g
www.dallaglio-nordin.com/87hcrn33g
www.galaturs.com.ua/87hcrn33g
www.gebrvanorsouw.nl/87hcrn33g
www.gunaldy.com/87hcrn33g
www.idiomestarradellas.com/87hcrn33g
www.infoteria.cba.pl/87hcrn33g
www.termoalbiate.com/87hcrn33g
zui9reica.web.fc2.com/87hcrn33g
The payload appears to be Locky ransomware. It phones home to:
188.127.249.32/data/info.php
95.85.19.195/data/info.php
212.109.192.235/data/info.php
jljiqkwchebdtng.click/data/info.php
xattllfuayehhmpnx.pw/data/info.php
gxytcem.info/data/info.php
cmodkwsxu.biz/data/info.php
cucifux.pw/data/info.php
yectcnixjvowtac.pw/data/info.php
wkufbyd.ru/data/info.php
cjtysjouoheneprhu.ru/data/info.php
ipbjheegfnwrhh.pl/data/info.php
xmujkqloyo.info/data/info.php
hyopihvoqidlgckyu.biz/data/info.php
bhooxdm.work/data/info.php
This is similar to the list here.
Recommended blocklist:
5.34.183.211
212.109.192.235
95.85.19.195
188.127.249.0/24
91.223.180.0/24
Malware spam: "Our shipping service is sending the order form due to the request from your company."
This fake shipping email comes with a malicious attachment:
Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4
Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24
Subject: Shipping informationThe sender's name will vary. Attached is a ZIP file with a random hexadecimal name, containing a malicious .js file beginning with a random sequence and endng with _shipping_service.js.
From: Charles Burgess
Date: Thursday, 1 September 2016, 9:30
Dear customer,
Our shipping service is sending the order form due to the request from your company.
Please fill the attached form with precise information.
Very truly yours,
Charles Burgess
Automated analysis [1] [2] [3] [4] of two samples sees the script downloading from the following locations (there are probably more than this):
joeybecker.gmxhome.de/430j1t
ngenge.web.fc2.com/vs1qc0
mambarambaro.ws/1zvqoqf
timetobuymlw.in/2dlqalg0
peetersrobin.atspace.com/t2heyor1
www.bioinfotst.cba.pl/u89o4
Between those four reports, there are three different DLLs dropped (VirusTotal [5] [6] [7]). This Hybrid Analysis shows the malware phoning home to:
5.34.183.211/data/info.php [hostname: take.cli] (ITL, Ukraine)
212.109.192.235/data/info.php [hostname: take.ru.com] (JSC Server, Russia)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
xattllfuayehhmpnx.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably Locky ransomware.
Recommended blocklist:
5.34.183.211
212.109.192.235
188.127.249.0/24
91.223.180.0/24
Wednesday, 31 August 2016
Malware spam: "bank transactions"
This fake financial spam comes with a malicious attachment:
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.
According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):
www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis
Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24
From: Rueben Vazquez
Date: 31 August 2016 at 10:06
Subject: bank transactions
Good morning petrol.
Attached is the bank transactions made from the company during last month.
Please file these transactions into financial record.
Yours truly,
Rueben Vazquez
The name of the sender will vary. Attached is a randomly-named ZIP file containing a malicious .js script with a name consisting of a random hexadecimal number plus _bank_transactions.js.
According to the Malwr report of these three samples [1] [2] [3] the (very sweary) scripts download from these following locations (there are probably more):
www.fulvio77.it/50glk
www.mbeccarini.com/8k8bpxvf
www.liviazottola.it/jdg3v7
malwinstall.wang/0un6xtal
01ad681.netsolhost.com/ym0zloe
newt150.tripod.com/rtc6a
akeseverin.com/mfr67
212.26.129.68/bxdwi0
mambarambaro.ws/1m202
virmalw.name/2lnbr
smc.psuti.ru/rvnfdn26
www.opal.webserwer.pl/hpeqoqgg
www.europegreen.org/va99dis
Each one of those samples drops a different DLL with detection rates of 8/57 or so [4] [5] [6] and according to the Hybrid Analsis reports [7] [8] [9] these phone home to:
95.85.19.195/data/info.php [hostname: vps-110831.freedomain.in.ua] (Digital Ocean, Netherlands)
138.201.191.196/data/info.php [hostname: u138985v67.ds-servers.com] (Hetzner, Germany)
188.127.249.203/data/info.php [hostname: it.ivanovoobl.ru] (SmartApe, Russia)
188.127.249.32/data/info.php (SmartApe, Russia)
cufrmjsomasgdciq.pw/data/info.php [91.223.180.66] (FOP Sedinkin Olexandr Valeriyovuch aka thehost.ua, Ukraine)
The payload is probably the Locky ransomware.
Recommended blocklist:
95.85.19.195
138.201.191.196
188.127.249.0/24
91.223.180.0/24
Labels:
Germany,
Hetzner,
Locky,
Malware,
Netherlands,
Ransomware,
Russia,
Spam,
Ukraine,
Viruses
Thursday, 18 August 2016
Malware spam: "The office printer is having problems so I've had to email the UPS label"
This fake UPS email has a malicious attachment. It appears to come from various countries UPS domains (e.g. ups.de, ups.co.uk), and from various senders.
a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7
This dropped binary has a detection rate of 6/54. It phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)
Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183
From "Laurence lumb" [Laurence.lumb25@ups.de]Attached is a ZIP file with a name beginning "Label" plus a random number. This contains a malicious .WSF script file that downloads Locky ransomware from one of the following locations (according to my trusted source):
Date Thu, 18 Aug 2016 17:35:21 +0530
Subject Emailing: Label
Good afternoon
The office printer is having problems so I've had to email the UPS label,
sorry for the inconvenience.
Cheers
Laurence lumb
a-plusrijopleiding.nl/jkYTFhb7
cloud9surfphilippines.com/jkYTFhb7
concurs.kzh.hi2.ro/jkYTFhb7
cs-czosnusie.cba.pl/jkYTFhb7
dasproject.homepage.t-online.de/jkYTFhb7
detlevs-homepage.de/jkYTFhb7
edios.vzpsoft.com/jkYTFhb7
entree22.homepage.t-online.de/jkYTFhb7
entrematicomstyle.com/jkYTFhb7
hanakago3.web.fc2.com/jkYTFhb7
infocoard.50webs.com/jkYTFhb7
mortony.cba.pl/jkYTFhb7
ramenman.okoshi-yasu.com/jkYTFhb7
rgcgifuhashima.aikotoba.jp/jkYTFhb7
sulportale.50webs.com/jkYTFhb7
wb4rsun8c.homepage.t-online.de/jkYTFhb7
www.1-anwalt.de/jkYTFhb7
www.alexpalmieri.com/jkYTFhb7
www.beneli.be/jkYTFhb7
www.bkcelje.50webs.com/jkYTFhb7
www.ceccatobassano.it/jkYTFhb7
www.fabriziorossi.it/jkYTFhb7
www.jphmvossen.nl/jkYTFhb7
www.kdr.easynet.co.uk/jkYTFhb7
www.learnetplus.org/jkYTFhb7
www.lechner-maria.de/jkYTFhb7
www.parma-vivai.it/jkYTFhb7
www.pizzeriaelite.it/jkYTFhb7
www.pulsefl.0catch.com/jkYTFhb7
www.unice.it/jkYTFhb7
zsp17.y0.pl/jkYTFhb7
This dropped binary has a detection rate of 6/54. It phones home to the following locations:
185.129.148.19/php/upload.php (MWTV, Latvia)
51.255.107.8/php/upload.php (Webhost LLC Dmitrii Podelko, Russia / OVH, France)
194.67.210.183/php/upload.php (Marosnet, Russia)
Recommended blocklist:
185.129.148.0/24
51.255.107.8
194.67.210.183
Monday, 15 August 2016
Malware spam: "Jen [Jen@purple-office.com]" / "Documents from Purple Office - IN00003993"
These fake financial documents have a malicious attachment:
From: Jen [Jen@purple-office.com]Attached is a randomly-named DOCM file which is almost definitely a variant of Locky ransomware as seen here and here.
Date: 15 August 2016 at 14:10
Subject: Documents from Purple Office - IN00003993
Please find attached invoice/credit from Purple Office.
Best regards,
Purple Office
Subscribe to:
Posts (Atom)